Re: AH-MD5

[Theodore Ts'o <tytso@MIT.EDU>]

   Date: Fri, 27 Jan 1995 18:07:24 -0500
   From: "Perry E. Metzger" <perry@imsi.com>

   Does anyone have a concrete argument against the security of MD5 used
   as we are using it? Not aesthetic concerns, not "well, we don't know
   if MD5 is secure" (because if it isn't we should just scrap it,
   period!). I'm looking for an argument of the form...

Perry, perhaps there are people in the NSA with crypto clearances for
which the art of designing and using cryptosystems is a science, not an
art.  Unfortunately, those of us who live in the free world do not have
this luxury.

You will recall that MD5 was designed and pushed out the door not
because the author could prove any weaknesses about MD4 --- as far as
he knew there are been no attacks on MD4 --- but because he felt
"uncomfortable" with some of the design decisions that had been made,
and so he added some complexity to MD5, even though this came at the
cost of slowing it down.

Those of us who are advocating a similar prepend+data+postpend system
are making the same sort of argument which led Ron Rvist to design, and
us to use, MD5 instead of the faster MD4.  Your same argument could be
used to say that we should use MD4 instead of MD5, since no one has come
up with an attack against MD4!  

Yet.

						- Ted

---

Follow-Ups:

• Re: AH-MD5
• From: "Perry E. Metzger" <perry@imsi.com>

References:

• Re: AH-MD5
• From: "Perry E. Metzger" <perry@imsi.com>

---

• Prev by Date: Minor wording changes to draft-metzger-ah-00.txt
• Next by Date: Minor suggestions for draft-metzger-esp-00.txt
• Prev by thread: Re: AH-MD5
• Next by thread: Re: AH-MD5
• Index(es):
  • Main
  • Thread